XSS Safe Templates

2016-03-23 17:31:14 -04:00
parent 3332721948
commit 9af1aa30a9
6 changed files with 26 additions and 10 deletions
--- a/lms/templates/survey/survey.html
+++ b/lms/templates/survey/survey.html
@@ -1,3 +1,4 @@
+<%page expression_filter="h"/>
 <%inherit file="../main.html" />
 <%namespace name='static' file='../static_content.html'/>
 <%!
@@ -26,7 +27,7 @@ from django.utils import html
        <div class="header-survey">
          <h4 class="course-info">
            <span class="course-org">${course.display_org_with_default}</span><span class="course-number"> ${course.display_number_with_default}</span>
-            <span class="course-name">${course.display_name | h}</span>
+            <span class="course-name">${course.display_name}</span>
          </h4>
          <h3 class="title">${_("Pre-Course Survey")}</h3>
        </div>
@@ -41,7 +42,7 @@ from django.utils import html
        <ul class="message-copy"> </ul>
      </div>

-      ${survey_form}
+      ${survey_form | n, unicode}

      <div class="form-actions">
        <button name="submit" type="submit" id="submit" class="action action-primary action-update">${_('Submit')}</button>
--- a/lms/templates/tab_module.html
+++ b/lms/templates/tab_module.html
@@ -1,3 +1,10 @@
+<%page expression_filter="h"/>
+<%!
+from openedx.core.djangolib.js_utils import (
+    dump_js_escaped_json, js_escaped_string
+)
+%>
+
 <div id="tab_${id}" class="tab">
  <ul class="navigation"></ul>
 </div>
@@ -5,7 +12,7 @@
 <%block name="js_extra">
 <script type="text/javascript">
  $(function(){
-      new Tab('${id}', ${items});
+      new Tab('${id | n, js_escaped_string}', ${items | n, dump_js_escaped_json});
  });
 </script>
 </%block>
--- a/lms/templates/themable-footer.html
+++ b/lms/templates/themable-footer.html
@@ -1,4 +1,5 @@
 ## mako
+<%page expression_filter="h"/>
 <%namespace name='static' file='static_content.html'/>

 ## This file only exists as an additional layer of indirection to preserve
--- a/lms/templates/tracking_log.html
+++ b/lms/templates/tracking_log.html
@@ -1,3 +1,4 @@
+<%page expression_filter="h"/>
 <%! from django.utils.translation import ugettext as _ %>

 <html>
@@ -13,4 +14,4 @@
    </tr>
 % endfor
 </table>    
-</html>
+</html>
--- a/lms/templates/unsubscribe.html
+++ b/lms/templates/unsubscribe.html
@@ -1,4 +1,6 @@
+<%page expression_filter="h"/>
 <%!
+from openedx.core.djangolib.markup import Text, HTML
 from django.core.urlresolvers import reverse
 from django.utils.translation import ugettext as _
 from django.conf import settings
@@ -14,13 +16,16 @@ from django.conf import settings
    <hr class="horizontal-divider">

    <p>
-      ${_("You will no longer receive forum notification emails from {platform_name}. "
+      ${Text(
+        _("You will no longer receive forum notification emails from {platform_name}. "
          "You may {dashboard_link_start}return to your dashboard{link_end}. "
-          "If you did not mean to do this, {undo_link_start}you can re-subscribe{link_end}.").format(
-             platform_name=settings.PLATFORM_NAME,
-             dashboard_link_start="<a href='{}'>".format(reverse('dashboard')),
-             undo_link_start="<a id='resub_link' href='{}'>".format(reverse('resubscribe_forum_update', args=[token])),
-             link_end="</a>",)}
+          "If you did not mean to do this, {undo_link_start}you can re-subscribe{link_end}."
+        )).format(
+            platform_name=settings.PLATFORM_NAME,
+            dashboard_link_start=HTML("<a href='{}'>".format(reverse('dashboard'))),
+            undo_link_start=HTML("<a id='resub_link' href='{}'>".format(reverse('resubscribe_forum_update', args=[token]))),
+            link_end=HTML("</a>"),
+        )}
    </p>
  </section>
 </section>
--- a/lms/templates/using.html
+++ b/lms/templates/using.html
@@ -1,3 +1,4 @@
+<%page expression_filter="h"/>
 <%! from django.utils.translation import ugettext as _ %>

 <h1>${_('Using the system')}</h1>